将HTML代码注入和解释为JSF页面的组件 [英] Component to inject and interpret String with HTML code into JSF page
问题描述
< p:editor> 组件,以使用户能够创建富文本。但是这个组件的输出是HTML源码,如下所示: String text =< p> i>包含< / i>一些< b> HTML< / b>代码< / p>;
当我在< h:outputText> 如下:
< h:outputText value =#{bean.text}/>
然后它将HTML代码显示为纯文本:
< p>此文本< i>包含< / i>一些< b> HTML< / b>代码。< / p>
是否有任何组件可以解释HTML源, < i> 实际上以斜体显示,< b> 为粗体
此文本包含某些 HTML 代码。
JSF默认从支持bean属性转义HTML,以防止XSS攻击漏洞。要禁用此功能,只需将< h:outputText> 的转义属性设置为 。
< h:outputText ... escape =false/>
这样HTML将不会被转义,因此将被webbrowser解释。 >
与具体问题无关,请注意XSS攻击,因为您在这里基本上重新显示用户控制输入未转义。您可能需要事先消毒。
- XSS背后的一般概念是什么?
- JSF中的CSRF,XSS和SQL注入攻击防范
- JSF的服务器端HTML消毒剂/清理
- 除了h中的所有内容,除了linebreaks:outputText
I'm using PrimeFaces with JSF 2.0 to build one application. I'm using PrimeFaces <p:editor> component to enable user to create rich text. But the output of this component is HTML source which look like this:
String text = "<p>This text <i>contains</i> some <b>HTML</b> code.</p>";
When I show this in a <h:outputText> as below:
<h:outputText value="#{bean.text}" />
Then it shows the HTML code as plain text:
<p>This text <i>contains</i> some <b>HTML</b> code.</p>
Is there any component which can interpret the HTML source so that e.g. <i> is actually shown as italics and <b> as bold?
This text contains some HTML code.
JSF by default escapes HTML from backing bean properties in order to prevent XSS attack holes. To disable this, just set the escape attribute of the <h:outputText> to false.
<h:outputText ... escape="false" />
This way the HTML won't be escaped and will thus be interpreted by the webbrowser.
Unrelated to the concrete problem, beware of XSS attacks as you're here basically redisplaying user-controlled input unescaped. You might want to sanitize it beforehand.
- What is the general concept behind XSS?
- CSRF, XSS and SQL Injection attack prevention in JSF
- Server side HTML sanitizer/cleanup for JSF
- Escape everything but linebreaks in h:outputText
这篇关于将HTML代码注入和解释为JSF页面的组件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
